31 August, 2021
FedRAMP penetration testing requirements
The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that aims to provide a standard approach for security assessments and continuous monitoring of cloud-based services and products. The Office of Management and Budget (OMB) laid the foundation for this program in line the Cloud First Policy of the US federal government in 2011. For cloud service providers that plan on providing services to federal agencies, a FedRAMP approval for their services is a must.
Understanding FedRAMP compliance requirements
FedRAMP defines cloud services as a commercial cloud service offering (CSO). CSOs are offered by cloud service providers (CSPs). A CSO must meet the requirements specified in NIST SP 800-53 along with the supplementary documentation provided by the Project Management Office (PMO) of FedRAMP. A CSP becomes authorized to provide services to a federal agency when it receives an Authority to Operate (ATO). High-level compliance requirements for FedRAMP are as follows:
- Completion of FedRAMP documentation requirements
- Implementing controls in line with FIPS 199 categorization
- Third-party assessment (3PAO) of CSO
- Development of a Plan of Action and Milestones (POA&M)
- Obtaining a provisional ATO (P-ATO) from the Joint Authorization Board (JAB) or agency-specific ATO
- Implementing a Continuous Monitoring (ConMon) program, including monthly vulnerability scans
Mandatory FedRAMP Attack Vectors
FedRAMP defines an attack vector as a potential avenue of compromise that can impact the integrity, confidentiality, or availability of your networks and systems. For third-party assessments, FedRAMP prescribes that penetration tests should cover the following attack vectors:
- External to Corporate (External untrusted to Internal untrusted): Internet-based attack to gain useful information about the target cloud system via CSP-owned and operated external network.
- External to Target System (External untrusted to External trusted): Internet-based attack to gain unauthorized access to the target system (without credentials).
- Target System to CSP Management System (External trusted to Internal trusted): External attack as an authorized user for accessing the CSM management system.
- Tenant to Tenant (External trusted to External trusted): External attack as an authorized user with a tenant environment as the source to access or compromise another tenant instance within the target system.
- Corporate to CSP Management System (Internal untrusted to Internal trusted): Internal attack to access the target management system through a system with known vulnerability on the corporate network to mimic a malicious device.
- Mobile Application (External untrusted to External trusted): Attack to access the CSP target system or its mobile application as a mobile application user.
FedRAMP penetration testing methodology and scope requirements
As per the FedRAMP guidance on penetration testing methodology, a penetration test shall have five phases: Scoping, Discovery, Exploitation, Post-exploitation, and Reporting. The scope of a penetration test shall include web application & API, mobile application, network, social engineering, and simulated internal attacks. The second phase is related to gather information and map the attack surface area of the target system of CSP. This phase will involve activities such as:
- Web application & API:
- Identify publicly available information about the target web application.
- Identify the architecture of the target web application, including servers, databases, middleware, and other technologies.
- Identify user account roles, entry points, and authorization mechanisms.
- Map all the functionalities of a web application.
- Perform server configuration checks.
- Mobile application:
- Identify publicly available information about the target mobile application.
- Map all the functionalities of the mobile application
- Identify the permissions required by the mobile application.
- Perform open-source intelligence (OSINT) gathering activities.
- Enumerate and fingerprint available network endpoints, services, and operating systems.
- Perform vulnerability scans.
- Social engineering:
- Perform internet searches to gather information about individuals responsible for the management of the target system.
- Simulated internal attack:
- Perform a scope determination exercise with CSP to determine potential attack vectors.
- Perform vulnerability scans.
For the Exploitation phase, FedRAMP recommends a set of attack vectors that must be tested during the exploitation phase. They are:
- Web application & API: Authorization, application logic, input validation, authentication, and session management.
- Mobile application: Authorization, data storage, and information disclosure.
- Network: Attack scenarios, exploitation, and record results.
- Social engineering: Spear phishing exercise.
- Simulated internal attack: Privilege escalation, and record results.
On similar lines, the FedRAMP penetration testing guidance recommends a list of activities to be performed in the post-exploitation phase, such as lateral movement, privilege escalation, situational awareness, and data exfiltration. For reporting, it provides precise guidance on the report contents. A report is expected to address the following sections:
- Scope of the target system
- Attack vectors covered during the penetration test
- Assessment activity timeline
- Tests and results
- Findings and evidence
- Access paths
FedRAMP states that a penetration test must be conducted by a 3PAO during the assessment process of a CSP. After this, it is mandatory to complete a penetration test annually. A federal agency that a CSP is working with may grant a documented exception for the same.
FedRAMP requirements for Third-party Assessment Organization (3PAO)
FedRAMP specifies that a 3PAO must conduct penetration testing exercises with a well-defined penetration testing methodology and proven proficiency. For every penetration test, the assessment organization must approve the penetration test team lead. Industry recognized credentials are:
- Offensive Security: OSCP, OSCE
- Global Information Assurance Certification: GWAPT, GPEN, GXPN
- EC-Council: CEH, LPT
BreachLock is a SaaS vendor that provides a single platform to meet all the security testing needs of our clients. Being a cloud-based provider ourselves, we understand the specific threats and risks faced by our fellow cloud-based service providers. To meet our clients’ security testing requirements, we execute comprehensive penetration testing exercises, along with providing support for retests and patch validation. After the successful completion of the test, we provide a third-party security certification. Our penetration testing methodology is derived from best practices recommended by OWASP, OSSTMM and NIST. As all of our offerings are facilitated through our client platform, our clients receive high quality and consistent results.